Systems & Strategy · Field note
Cybersecurity
21 April 2026, Hakyun Ryu
A working note — rougher than the essays, kept here for reference.
21 April 2026, Hakyun Ryu
Core Thesis:
The current market’s fear that AI will displace traditional cybersecurity vendors is in my opinion is directionally misplaced. The stronger interpretation’s that AI expands the attack surface and possibilities, compresses the speed of offense, increases the volume of vulnerable softwares. This further raises the importance of automated detection, responses and secure-by-design tooling. Cybersecurity does not become any less necessary but rather even more crucial.
Many software and security stocks have experienced multiple compression as higher interest rates reduced the present value of long-duration growth and as investors worried that AI-native tools could weaken the incumbent industry.
Accelerating capex central to the AI transition, in the midst of global conflicts, energy shortages is putting more pressure on businesses heavily investing into their infrastructures.
Reuters noted that software stocks were hit by “AI disruption” concerns in early 2026, and Breakingviews previously observed that SaaS revenue multiples were already far below pandemic-era peaks.
But valuation pressure is not the same thing as structural obsolescence. In cybersecurity specifically, the evidence increasingly points to rising demand, broader platform adoption, and new product categories tied directly to AI.
Market Reactions:
Public cybersecurity equities have been repriced sharply downward through Q1 2026, with the iShares Cybersecurity & Tech ETF losing roughly 5% in a single session on AI-disruption fears and the Global X Cybersecurity ETF falling to its lowest level since November 2023 (CNBC, 2026a). CrowdStrike, Palo Alto Networks, Zscaler, SentinelOne, Okta, Netskope, and Tenable have all been caught in the downdraft, with Zscaler alone down more than 36% year-to-date at one point (Pradhan, 2026).
The market narrative driving this sell-off rests on a single thesis: generative AI exemplified by Anthropic's code-scanning capabilities and the "Project Glasswing" vulnerability-discovery collaboration, will compromise enterprise security solutions and make incumbent platforms obsolete (IndexBox, 2026).
Major Cybersecurity Companies: Competitive Analysis (2026)
Let’s take a look at some of the largest cybersecurity companies around today, their flagship products and services and how they’ve been adapting to the recent AI ‘threats’.
Tier 1 — Pure-Play Platform Leaders
| Company | Core Segment | Key Products / Services | Primary Revenue Drivers | AI Adaptation |
|---|---|---|---|---|
| CrowdStrike (CRWD) | Endpoint / XDR / Cloud | Falcon platform (EDR/XDR), Charlotte AI, Falcon Flex, Next-Gen Identity Security, Falcon Data Protection, Charlotte AI AgentWorks | Subscription ARR (~94% of revenue); USD 5.25B ARR growing 24% YoY; Q4 FY26 revenue USD 1.31B (+23% YoY) | Charlotte AI (FedRAMP-authorized generative AI SOC assistant, saves ~40 analyst-hours/week); Agentic Security Workforce; partnership with NVIDIA on edge AI agents; acquired Pangea (AI security); Charlotte AI Threat AI is the first agentic threat intelligence system |
| Palo Alto Networks (PANW) | Network / Cloud / AI SecOps | Strata (network security), Prisma Cloud, Cortex XDR / Precision AI, Unit 42 (threat intel & IR), CyberArk (PAM, via acquisition) | NGS ARR USD 5.9B (+29% YoY); total Q1 FY26 revenue USD 2.5B (+16% YoY); targeting USD 15B in NGS ARR by 2030 | Precision AI embedded across Cortex and Prisma; Project Glasswing (multi-org AI vulnerability discovery); Chronosphere acquisition extends AI-native cloud observability; platformization strategy bundles AI-native modules; Unit 42 deploys AI for threat attribution |
| Zscaler (ZS) | Zero Trust / SASE / Cloud Security | Zero Trust Exchange, ZIA (internet access), ZPA (private access), AI Security pillar, AI Guard, CSPM, DLP | Subscription ARR USD 3.4B (+25% YoY); Q2 FY26 revenue USD 816M (+26% YoY); AI Security ARR at USD 400M+ (>80% YoY growth, hit FY26 target 3 quarters early) | Zero Trust Exchange expanded to secure AI agent-to-agent and machine-to-machine interactions; AI Guard inspects and controls all AI-driven interactions in real time; consumption-based AI offerings grew ARR >100% YoY; repositioning explicitly as the identity + policy layer for the agentic era |
| SentinelOne (S) | AI-Native Endpoint / XDR | Singularity Platform, Purple AI, endpoint detection, cloud workload protection | Revenue ~USD 1B run rate; 43% YoY revenue growth; ~USD 4.3B market cap after 52-week low; Lenovo partnership bundles Purple AI on enterprise PC shipments | Purpose-built AI-first architecture from day one (not retrofitted); Purple AI automates threat investigation via natural language queries; likely acquisition target for Cisco/IBM given valuation dislocation |
Tier 2 — Network / Perimeter / Hybrid Leaders
| Company | Core Segment | Key Products / Services | Primary Revenue Drivers | AI Adaptation |
|---|---|---|---|---|
| Fortinet (FTNT) | Network Security / SASE | FortiGate (NGFW), FortiOS, FortiGuard threat intel, SASE, SD-WAN, FortiAI, FortiSOC (previewed 2026), FortiEndpoint | FY25 revenue USD ~6.75B; Q4 2025 revenue USD 1.91B (+15% YoY); 70% of revenue from high-margin services, 30% hardware; 80%+ gross margins; ~37% non-GAAP operating margin | FortiOS 8.0 embeds Secure AI controls and agentic workflows into the OS itself; FortiSOC (cloud-delivered, unified SIEM/SOAR/SIEM/TIP); FortiAI expanded across all SecOps tools with MCP support; agentic alert triage and autonomous threat hunting; Accelerate 2026 showed the most comprehensive agentic SOC roadmap of any legacy vendor |
| Cloudflare (NET) | Edge / Network / Application Security | SASE, Zero Trust (Cloudflare One), DDoS protection, WAF, Workers (edge compute), Magic WAN, AI Gateway | Recurring subscription revenue; ~USD 1.6B annual revenue growing ~28% YoY | AI Gateway product manages, monitors, and secures all AI API traffic (LLM calls); functions as the security and policy layer between enterprises and AI providers; edge network used to proxy and inspect AI workloads; growing "AI-adjacent security" positioning |
| Check Point Software (CHKP) | Network / Cloud / Endpoint | Quantum (firewalls/network), CloudGuard, Harmony (endpoint + email), Infinity AI Copilot, ThreatCloud AI | ~USD 2.4B annual revenue; slower growth (~5–7% YoY) but extremely high profitability; dominated by product licenses and subscriptions | Infinity AI Copilot is a fully-featured AI assistant with read access to security configs and logs; ThreatCloud AI aggregates threat intel from 150,000+ connected networks; CloudGuard WAF uses behavioral AI (not signatures) — blocked the React2Shell zero-day pre-emptively without emergency patching in Dec 2025, while competitors failed |
Tier 3 — Identity & Specialist Leaders
| Company | Core Segment | Key Products / Services | Primary Revenue Drivers | AI Adaptation |
|---|---|---|---|---|
| Okta (OKTA) | Identity & Access Management | Workforce Identity Cloud, Customer Identity Cloud, Okta AI, Identity Governance, Device Access, Privileged Access | Q4 FY26 revenue USD 761M (+11% YoY); total FY26 revenue ~USD 2.85B; RPO USD 4.83B (+15% YoY); operating cash flow USD 884M (30% margin) | AI Agent Identity — Okta is positioning as the only platform that can authenticate and authorize both human and AI agent identities; Okta AI embeds risk-based adaptive access; direct beneficiary of machine-identity explosion (80:1 machine-to-human ratio); growth slower than peers but the "identity-for-AI-agents" thesis is very early and potentially the most durable moat in the group |
| CyberArk (CYBR) | Privileged Access / Identity Security | PAM (Privileged Access Management), Secrets Management, Endpoint Privilege, Identity Security Platform | Acquired by Palo Alto Networks for USD 25B (announced FY25/26); previously ~USD 900M+ ARR growing ~30% YoY | Machine identity management was the core acquisition thesis for PANW — as AI agents proliferate, every agent has credentials that need PAM treatment; CyberArk's secrets management is directly applicable to AI pipelines and LLM infrastructure |
Worth keeping one row separate from the pure-plays:
| Company | Why It Matters | AI Security Play | Risk to Pure-Plays |
|---|---|---|---|
| Microsoft (MSFT) | USD 37B in annual cybersecurity revenue — larger than the entire pure-play sector combined; already embedded in every enterprise via M365 | Defender, Sentinel (SIEM), Purview (compliance/DLP), Copilot for Security | Bundles "good enough" security with compute at prices pure-plays structurally cannot match; the single biggest long-term risk to every company in the tables above |
A few things that jump out when you look at this collectively:
The clearest pattern’s every company is in a race to own the Security Operations Centre (SOC) of the future. The AI-automated SOCs that replace or augment human analysts. CrowdStrike, Palo Alto, Fortinet, and SentinelOne are all converging on the same product vision from different starting architectures. Whoever wins that SOC contract gets the longest revenue relationship in enterprise IT.
Okta's CEO Todd McKinnon put it most directly: "AI is redefining the future of software and creating a critical need to secure AI agents, a challenge Okta was built to solve." That framing applies to the whole sector. The AI agent explosion is a product category that did not meaningfully exist two years ago and is now a primary growth narrative for every company in this table.
The most under-appreciated name, imo is still Zscaler given that its AI Security pillar alone reached USD 400M ARR and hit its FY2026 target three quarters early, yet the stock is down 36%+ YTD. That's a company growing the most AI-native part of its business at 80%+ YoY while the market prices in an existential threat. The disconnect is very difficult to explain on the fundamentals alone.
Why the bearish view’s incomplete
The bearish narrative usually rests on two assumptions. First, that AI will automate away much of the work security vendors currently do. Second, that hyperscalers or foundation-model providers will absorb security functionality and leave standalone vendors with weaker pricing power. That concern is understandable, but it ignores three industry realities.
The first is that AI is helping attackers too. Microsoft’s 2025 Digital Defense Report says AI-driven phishing is now three times more effective than traditional campaigns, and Microsoft’s April 2026 threat research says AI-embedded phishing campaigns can reach click-through rates of 54% versus roughly 12% for more traditional campaigns. Google Threat Intelligence Group and Mandiant have also described threat actors using generative AI as a productivity multiplier for multilingual phishing, “vibe coding,” and other stages of the intrusion lifecycle, with early signs of malware using AI capabilities mid-execution. In other words, AI does not eliminate cyber risk; it industrializes it.
The second is that enterprise AI adoption is outrunning enterprise AI security. The World Economic Forum reported that 66% of organizations expected AI to have the biggest impact on cybersecurity in the coming year, yet only 37% said they had processes to assess the security of AI tools before deployment. The same report found that 72% of respondents saw cyber risk increasing and that 47% identified adversarial advances powered by generative AI as a primary concern. Accenture’s 2025 cyber resilience research likewise found that 90% of companies lacked the maturity to counter AI-enabled threats, while 77% lacked the foundational data and AI security practices needed. That gap is precisely where vendors monetize.
The third is that more software creation usually means more insecure software creation. Your “vibe coding” argument is stronger than it may first sound. NIST finalized SP 800-218A to extend secure software development practices to generative AI and dual-use foundation models, which is effectively an institutional acknowledgment that AI-assisted software and model development create distinct security requirements. CISA has continued to push secure-by-design principles and has warned against persistent bad product-security practices, while its Known Exploited Vulnerabilities catalog reflects the constant backlog of real-world vulnerabilities already being weaponized. Easier software creation lowers the barrier to publishing code, but it does not lower the need for identity security, code security, posture management, threat detection, patching, and incident response. It raises it.
How do we frame the current situation then?
- AI expands the attack surface faster than it shrinks the defender's moat. The democratization of software creation through "vibe coding" is generating vulnerable production code at a velocity and volume that traditional AppSec tooling was never designed to handle. Georgia Tech's Vibe Security Radar has already catalogued 70+ critical vulnerabilities attributable to AI-generated code since August 2025, and CodeRabbit research found AI-generated code contains 70% more errors than human-written code (Bing, 2026).
- Incumbent cybersecurity platforms are not being disrupted — they are becoming AI companies. CrowdStrike's Charlotte AI, Palo Alto's Cortex/Precision AI, and Zscaler's Zero Trust Exchange for agentic interactions are embedding AI natively into their detection stacks, converting the purported existential threat into a product tailwind (CrowdStrike, 2026; Palo Alto Networks, 2026).
- AI-orchestrated offense is creating catastrophic new demand. Anthropic's disclosure in November 2025 of GTG-1002 — a Chinese state-sponsored actor that weaponized Claude Code to execute 80–90% of a multi-target espionage campaign autonomously — is a watershed event that reframes AI as a demand accelerant for defensive platforms, not a substitute for them (Anthropic, 2025; Paul, Weiss, 2025).
- The structural underpinnings of cybersecurity demand — the 4.8 million-worker talent gap, rising regulatory liability, and 12–15% annual spending growth — are not AI-sensitive. These drivers persist regardless of whether Anthropic, OpenAI, or anyone else ships a better code scanner (ISC2, 2024; Gartner, 2024; Columbus, 2026).
Gartner projects global information security spending will reach USD 240 billion in 2026, a 12.5% year-over-year increase, with AI-amplified security as a category rising from USD 49 billion in 2025 to a projected USD 160 billion by 2029 (Columbus, 2026). The disconnect between this spending trajectory and the current equity market repricing is the investment opportunity.
1. What the selloff is pricing in
1.1 Trigger events
The cybersecurity sector's 2026 sharp decline was not organic and more event-driven. 3 specific catalysts compounded:
- February 2026: Anthropic's code-scanning tool release. The debut of a Claude-powered security tool in a limited research preview triggered a two-day decline during which CrowdStrike, Palo Alto Networks, and Zscaler each fell ~6%, while GitLab and JFrog (pure-play code-scanning vendors) dropped 8% and 25% respectively (CNBC, 2026a).
- March 2026: The Mythos leak. A Fortune report disclosing that Anthropic was internally testing a more powerful model called Mythos — explicitly flagged as presenting elevated cyber-offensive risk — sent the iShares Cybersecurity ETF down another 4.5% in a single day (CNBC, 2026b).
- Project Glasswing announcement. A defensive AI initiative involving Palo Alto Networks produced a brief relief rally, but investors quickly reverted to the disruption narrative once the initial novelty passed (IndexBox, 2026).
1.2 How the market is interpreting it
Brian Essex, executive director of U.S. software equity research at J.P. Morgan, framed the consensus anxiety concisely: "It's not about disruption this year or even 14 to 18 months from now — it's all about whether, longer term, these business models will still be viable" (Essex, 2026, as quoted in Information Security Media Group, 2026).
Two overlapping forces are doing the damage:
- A multiple compression story. Cybersecurity stocks entered 2026 trading at premium multiples that assumed perpetual 30%+ growth. The AI-disruption narrative gave the market an excuse to reset those multiples toward levels more consistent with peers (TechBuzz, 2026). CrowdStrike's forward P/E is now ~90–103x and Palo Alto's sits near 55x — both well off their highs (247 Wall St., 2026).
- An "AI ghost trade" — Seeking Alpha's Steven Cress's term — in which fear-driven repricing is being applied indiscriminately across technology, consumer discretionary, and industrial names, with cybersecurity catching the heaviest beta because it sits at the intersection of SaaS and AI narrative risk (Cress, 2026).
1.3 What management is saying
The operators themselves reject the disruption framing in forceful terms. George Kurtz, CEO of CrowdStrike, responded directly after the February selloff: "an AI capability that scans code does not replace the Falcon platform — or your security program. Security requires an independent, battle-tested platform built to stop breaches" (CNBC, 2026a). Palo Alto Networks' CEO Nikesh Arora said on the Q1 FY26 earnings call that he was "confused" by the market viewing AI as a threat to cybersecurity (CNBC, 2026a).
Even bearish sell-side analysts have flagged the reaction as overdone. Bank of America's research note concluded that Anthropic's code scanner materially threatens only code-scanning point solutions (GitLab, JFrog), not end-to-end platforms: "We think that AI could improve efficiency in specific workflows, particularly code scanning, but does not now have the visibility, control, or reliability to replace end-to-end security platforms" (Bank of America, as cited in CNBC, 2026a).
2. The counter-thesis: five structural drivers the market is mispricing
2.1 Driver 1 — Vibe coding is creating a vulnerability supernova
The core flaw in the bearish thesis is that it conflates AI improving defense with AI being a net negative for defenders. This ignores what AI is simultaneously doing to the offensive side of the equation and, more importantly, to the surface area being defended.
Vibe coding — the formal definition being "an AI-dependent programming technique where a person describes a problem in a few sentences as a prompt to a large language model tuned for coding" (Checkmarx, 2026) — has dramatically expanded the population of people shipping production code. Kusari's Application Security in Practice report found that 85% of organizations have adopted AI coding assistants, while only 9% consider AI-driven AppSec analysis a must-have capability — and only 38% use AI for code review in pull requests (Kusari, 2026). The code-creation side has scaled faster than the code-verification side by an enormous margin.
The security consequences are now empirically documented rather than theoretical:
- Georgia Tech's Vibe Security Radar has identified 70+ critical software vulnerabilities most likely attributable to AI coding since August 2025, with the rate of discovery accelerating in the most recent two-month window (NBC News, 2026).
- CodeRabbit's December 2025 report found AI-generated code contains 70% more errors than human-written code, and that AI-generated errors are more severe than human ones on average (NBC News, 2026).
- Veracode research (cited in Kaspersky's analysis) shows that while leading AI models now produce compilable code 90% of the time — up from <20% less than two years ago — the compilation success rate tells us nothing about security posture (Kaspersky, 2025).
- Databricks' red team demonstrated that even Claude-generated code that "just works" can introduce arbitrary-code-execution vulnerabilities (e.g., unvalidated pickle deserialization in Python network code) that would require deliberate, security-focused prompting to avoid (Databricks, 2026).
- Invicti's analysis of real-world vibe-coded applications identified recurring systemic issues: silent removal of authentication logic during iterative prompting, missing authorization checks, exposed backend APIs left active after UI changes, injection vulnerabilities in input-handling logic, and hard-coded credentials propagated to client-side code (Invicti, 2026).
The categorical risks, which the Contrast Security glossary catalogues, include insecure dependency recommendations, supply-chain attacks via "hallucinated" package names registered by malicious actors, bypassing of traditional SAST/SCA/DAST workflows (which were built for human-speed development), and a systemic "comprehension gap" where developers no longer understand the code they deploy (Contrast Security, 2026; Kusari, 2026).
The investment implication is direct: every non-technical founder, marketer, PM, and designer who ships a vibe-coded app is a customer creation event for runtime application security, API security, identity management, and managed detection & response. The total addressable market for security tooling does not shrink when the number of insecure applications in production grows by an order of magnitude — it expands.
2.2 Driver 2 — AI-orchestrated offense is a demand accelerant, not a substitute for defense
November 2025's GTG-1002 disclosure is, from a markets perspective, the most important cybersecurity event of the current cycle — and it has not yet been priced into defensive cybersecurity stocks.
Anthropic's technical report on the incident describes the first documented case of a cyberattack executed largely without human intervention at scale. A Chinese state-sponsored group jailbroke Claude Code by framing it as a cybersecurity firm conducting defensive testing, then let the AI autonomously perform reconnaissance, vulnerability discovery, exploitation, lateral movement, privilege escalation, credential harvesting, and data exfiltration against roughly 30 global targets, including major technology companies, financial institutions, chemical manufacturers, and government agencies — with a subset of intrusions succeeding (Anthropic, 2025). Anthropic's own estimate: 80–90% of operations executed without human intervention, at speeds of thousands of requests per second "impossible to match" for human hackers (PwC, 2026).
PwC's framing of the implications is the correct one for investment purposes: "Bad actors can scale simply with more compute and aren't limited by finite personnel resources. Individuals can run large-scale campaigns that once took teams. It also means the operations can proceed 24/7 without sleep or rest" (PwC, 2026). Translated into investment terms — offensive capability is being democratized and industrialized on the same curve as defensive capability, and the attacker has the structural advantage of needing to succeed only once.
The U.S. Congressional response has been swift. House Homeland Security Committee Chair Andrew Garbarino stated publicly: "If the bad guys are going to be using AI to attack us, we should be using AI… in our cyber defenses — because it's not going to be possible to fight this aggressive use of AI and cyberattacks by just human intervention and defense alone" (House Committee on Homeland Security, 2025). The policy implication — formalized in the reintroduced Strengthening Cyber Resilience Against State-Sponsored Threats Act — is increased federal cyber spend and regulatory pressure on the private sector, both of which translate directly into incumbent cybersecurity platform revenue.
A reasonable skepticism applies. Security researcher Kevin Beaumont has publicly challenged some of the surrounding hype, noting that many CISOs claiming to see "70% of ransomware being AI-driven" haven't actually handled such incidents themselves (Security Affairs, 2025). But this pushback cuts against the bearish equity thesis, not for it — if the offensive-AI threat is over-stated in the near term, then AI is not actually eroding defender economics on the timelines the market is pricing in. Either the threat is real (bullish for cyber) or it's hype (also bullish — the market is mispricing disruption that isn't happening).
2.3 Driver 3 — Incumbents are absorbing AI, not being disrupted by it
The "AI will kill cybersecurity" thesis implicitly assumes incumbents are static. They are not. Every major platform vendor is spending aggressively to make AI their product, not their disruptor.
CrowdStrike. FY2026 results delivered record ARR of USD 5.25 billion, making CrowdStrike the fastest (and only) pure-play cybersecurity software company to reach that milestone, with net new ARR of USD 1.01 billion in the fiscal year and Q4 revenue of USD 1.31 billion, up 23% year-over-year (CrowdStrike, 2026). Net retention rates remained above 120% (TechBuzz, 2026). Kurtz's stated long-term target is USD 20 billion in ending ARR by FY36, framed explicitly as an AI-driven opportunity: "The AI revolution represents a new, generational growth opportunity for CrowdStrike" (CrowdStrike, 2026). The company's Charlotte AI, which now holds FedRAMP High authorization, automates SOC analyst triage at a scale that management estimates saves 40 analyst-hours per week per customer (Techi, 2026). Strategic moves include a partnership with CoreWeave for secure AI cloud infrastructure, a collaboration with NVIDIA on Charlotte AI AgentWorks, and the acquisition of Pangea (AI security). CrowdStrike is an AI company with a cybersecurity wrapper, not the other way round.
Palo Alto Networks. Q1 FY2026 revenue of USD 2.5 billion (+16% YoY) and non-GAAP net income of USD 662 million (+21% YoY), with Next-Generation Security ARR of USD 5.9 billion up 29% YoY (LeverageShares, 2026). Management's stated target is USD 15 billion in NGS ARR by 2030. The USD 25 billion CyberArk acquisition brings privileged access management and machine-identity security into the platform — critical given CyberArk's own data showing machine identities now outnumber human identities by more than 80 to 1 (Palo Alto Networks, 2026). The USD 3.35 billion Chronosphere acquisition adds cloud observability and DevSecOps telemetry. Precision AI is the platform's unified AI-native SOC layer.
Zscaler. Q2 FY2026 revenue of USD 816 million (+26% YoY) and ARR of USD 3.4 billion (+25% YoY), with over 25% of new business coming from consumption-based offerings and consumption-tied ARR up over 100% YoY (Pradhan, 2026). Management is explicitly positioning the Zero Trust Exchange to secure agent-to-agent and machine-to-machine AI interactions — reframing the AI-agent threat as the core product use case. This is the most AI-native thesis in the public cybersecurity universe and, paradoxically, the stock is down 36% YTD.
SentinelOne. 43% YoY revenue growth (from a smaller base) with an explicitly "AI-first" architecture built around Purple AI and Singularity autonomous response (Techi, 2026).
The aggregate pattern: every major cybersecurity incumbent is executing the textbook "absorb the disruption" playbook, and the operational metrics — ARR growth, net retention, gross margin — are still running above what the share prices imply.
2.4 Driver 4 — The talent gap is the silent, non-negotiable tailwind
The ISC2 2024 Cybersecurity Workforce Study documented a global workforce gap of 4.8 million cybersecurity professionals, a 19% YoY increase, while the active workforce flatlined at 5.5 million (+0.1%) (ISC2, 2024). 90% of organizations report skills shortages; 58% believe the shortage puts them at significant risk; 71% report that the talent gap has directly affected their security posture (Columbus, 2026; MedhaCloud, 2026).
This is a structural condition that AI cannot worsen and almost certainly improves the investment case for platform vendors. When you cannot hire analysts, you buy AI-powered SOC platforms that replace or augment analyst labor. Gartner's forecast of managed security services growing at 11.1% in 2026 — the fastest rate in the services segment — is a direct consequence: organizations that can't fill SOC roles are buying managed SOC capacity (Columbus, 2026).
The Gartner projection is the single most important data point for the thesis: the AI-amplified security market is projected to rise from USD 49 billion in 2025 to USD 160 billion by 2029, with over 75% of enterprises using AI-amplified cybersecurity products by 2028, up from less than 25% in 2025 (Columbus, 2026). This is not additive spending — it is the reallocation of the existing security budget toward products with AI embedded. The vendors who get there first win shelf space; those who don't lose it.
2.5 Driver 5 — Regulation, machine identity, and the agentic surface
Three secondary drivers compound the core thesis:
- Regulatory mandates are hardening. The EU AI Act, NIS2, SEC cybersecurity disclosure rules, and state-level equivalents create legal liability that can only be discharged through documented security spending (Yehey, 2026; Elisity, 2026). Palo Alto Networks' 2026 predictions explicitly warn that AI governance failures will move from philosophical debate into direct personal executive liability precedent in 2026 (Palo Alto Networks, 2026).
- Machine identity explosion. Machine identities now outnumber humans by more than 80 to 1, and that ratio is accelerating as enterprises deploy agentic AI (Palo Alto Networks, 2026). Each machine identity is an authentication and authorization event that needs policy, monitoring, and audit — all of which are cybersecurity product categories.
- Agentic AI as a first-class attack surface. Gartner forecasts that over 50% of enterprises will use AI security platforms to protect their AI investments by 2028, while only 6% currently have an advanced AI security strategy in place (Palo Alto Networks, 2026). This is a category that did not exist two years ago and now has a triple-digit-billion TAM attached to it.
3. Market sizing — where the spending is going
Multiple independent forecasts converge on the same direction of travel. Methodologies differ but the underlying signal is consistent:
| Segment | 2025 | 2030 / 2031 | CAGR | Source |
|---|---|---|---|---|
| Total cybersecurity market | USD 227.6B | USD 351.9B | 9.1% | MarketsandMarkets (2026) |
| Total cybersecurity spending (Gartner end-user) | USD 213B | USD 308B+ (2029) | 12.5% | Gartner, per Elisity (2026); MedhaCloud (2026) |
| AI in cybersecurity (broad) | USD 31.5B | USD 93.7B | 24.4% | Grand View Research (2026) |
| AI cybersecurity solutions | USD 30.9B | USD 86.3B | 22.8% | Mordor Intelligence (2025) |
| Generative AI cybersecurity | USD 8.65B | USD 35.5B (2031) | 26.5% | MarketsandMarkets (2026) |
| AI-amplified security (Gartner) | USD 49B | USD 160B (2029) | ~34% | Gartner Q4 2025 Forecast, per Columbus (2026) |
Key takeaways:
- Cybersecurity spending grows at ~2–3× overall IT spending for the rest of the decade.
- AI-specific subsegments grow at 22–34% CAGR — faster than any other major IT category.
- Asia-Pacific is the fastest-growing region at ~24% CAGR (Mordor Intelligence, 2025) — relevant for Hakyun's Singapore/regional positioning.
- SMEs are projected to be the fastest-growing customer segment within total cybersecurity, as managed services make enterprise-grade protection accessible at SMB price points (MarketsandMarkets, 2026) — directly aligned with the vibe-coding driver.
4. Where the thesis could be wrong (intellectual honesty check)
Four scenarios would materially weaken the bull case:
- Platform-bundling by hyperscalers. Microsoft (Defender + Sentinel + Purview), Google (Mandiant + Chronicle), and AWS (GuardDuty + Security Hub) can bundle "good enough" security with compute at prices that pure-plays cannot match. This is a real risk — but it is not an AI-specific risk, and it has been present for five years without killing the incumbents.
- A genuinely frontier AI red-team capability that is not available to defenders. If an offensive model with meaningful capability asymmetry vs. defensive tooling gets released (or leaked), defender economics degrade sharply. This is what the Mythos disclosure briefly hinted at. Worth monitoring; not yet realized.
- A systemic breach of an incumbent's own platform. CrowdStrike's July 2024 outage is the reference event — a self-inflicted incident can do more damage to a cybersecurity stock than any external disruption narrative. Operational risk at the vendors themselves is real.
- Multiple compression continuing past fundamentals. Even if the fundamentals are intact, markets can stay irrational. Trading at 90–100x forward earnings (CrowdStrike) offers little margin of safety if sentiment doesn't turn.
None of these invalidate the structural thesis; they define the risk frame within which position sizing should happen.
5. Synthesis — the investment framing
The cleanest way to state the thesis:
The market is pricing cybersecurity as a SaaS sector facing AI-commoditization risk. It should be pricing it as a critical infrastructure sector whose total addressable market expands at the exact velocity that AI democratizes both software creation (vibe coding) and cyber offense (agentic attacks). The incumbent platforms are not being disrupted; they are absorbing AI as a product capability and extending their moats via the embedded-customer-base + proprietary-telemetry flywheel.
The specific stock-level implication for each of the three major names:
- CrowdStrike (CRWD) — highest-quality platform, highest multiple, highest operational risk (post-2024 outage). The correct framing is "paying up for the best operator in a secular growth market."
- Palo Alto Networks (PANW) — the platformization + CyberArk + Chronosphere thesis is the most comprehensive integrated stack in the industry, at a more digestible ~55× multiple. Lower growth, more acquisition-execution risk.
- Zscaler (ZS) — the most AI-native positioning (Zero Trust Exchange for agent interactions) at the most compressed multiple after a 36% YTD drawdown. Highest beta to a narrative reversal.
Each of these translates the same core macro thesis into different risk-adjusted return profiles. What they share is the underlying driver: cybersecurity demand is a function of the size and insecurity of the global software surface area, and AI is expanding both on an exponential curve.
6. Talking points (for conversation / discussion use)
- "The AI disruption narrative conflates code-scanning tools with end-to-end security platforms. Those are different products sold to different buyers solving different problems."
- "Every vibe coder is a future customer of runtime application security. Georgia Tech has already logged 70+ critical vulnerabilities from AI-generated code in six months."
- "The GTG-1002 incident was the first documented AI-orchestrated state-sponsored cyberattack — 80–90% autonomous. That's a demand catalyst, not a disruption signal."
- "CrowdStrike just printed USD 5.25B ARR growing 24% YoY. That's not a business being disrupted; that's a business the market is pretending is being disrupted."
- "The 4.8 million-person cybersecurity talent gap is not AI-sensitive. You can't hire your way out of it. You have to buy platforms."
- "Gartner projects AI-amplified security to go from USD 49B to USD 160B by 2029. That's a 34% CAGR in a sector the market is derating for AI risk."
- "Regulation is a one-way ratchet. NIS2, SEC disclosure rules, EU AI Act — none of these get easier."
- "The machine identity count is 80:1 vs humans. Every one of those needs auth, audit, and policy enforcement. That's a product category that didn't exist as a primary budget line three years ago."
I believe the current market has been too quick to interpret AI as a threat to cybersecurity business models and not quick enough to recognize AI as a force multiplier for cyber demand. The rise of AI doesn’t remove the need for cybersecurity; it raises the cost of being insecure.
More AI-generated software, more autonomous workflows, more machine identities, and more non-expert builders should lead to more vulnerabilities, not fewer. The likely winners are not companies that resist AI, but cybersecurity platforms that use AI to defend faster than attackers can exploit.
Recent valuation dislocations in cyber may look less like structural decline and more like a repricing phase before the market fully credits AI as a long-term tailwind for the sector instead of competing against it.